Port probes

  • Release version: Zurich
  • Updated March 24, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Port probes

    Port probes are a key component of ServiceNow Discovery, used by the Shazzam probe to detect protocol activity on open ports of network devices. When a port probe identifies an active protocol, Shazzam determines which classification probe to launch based on configured priority. This process enables accurate device classification even when multiple protocols are active on a device.

    Show full answer Show less

    Key Features

    • Protocol Priority: The base system prioritizes protocols in the following order: 1 - WMI, 2 - SSH, 3 - SNMP, 4 - HTTP. The highest priority successful probe prevents the launch of lower priority probes, optimizing discovery efficiency.
    • Port Probe Configuration: Accessible via Discovery Definition > Port Probes, the Port Probe form lets you define port probes with attributes such as name, description, scanner type, activation status, usage for Configuration Items (CIs) or IP addresses, and associated classification tables.
    • Multiple Classification Probes: You can link several classification probes to a single port probe, improving discovery performance by allowing fallback options if one classification fails.
    • Conditional Port Probes: These run only if non-conditional probes detect open ports, useful for resolving Windows and DNS names but consume additional resources.
    • Supplementary Probes: These can launch after a higher-priority probe succeeds to gather additional classification details.
    • Shazzam Probe Role: Performs the initial port scanning on specified IP ranges to find active devices and protocols. JSON encoding can be configured for Shazzam payloads to optimize scanning performance over large IP ranges.

    Practical Benefits for ServiceNow Customers

    • Enables precise and efficient discovery of devices by methodically identifying running protocols on open ports.
    • Improves discovery accuracy by sequencing classification probes based on protocol priority and allowing multiple classification attempts.
    • Supports customization through port probe configuration to handle non-standard port uses and complex network environments.
    • Optimizes network scanning performance and resource usage, especially in large IP ranges, via Shazzam probe payload settings.

    Port probes are used in Discovery by the Shazzam probe to detect protocol activity on open ports on devices it encounters.

    When a port probe encounters a protocol in use, the Shazzam sensor checks the port probe record to determine which classification probe to launch. The common protocols WMI, SSH, SNMP, and HTTP in the base system have priority numbers that control the order in which they are launched.

    The priority is as follows:

    • 1 - WMI
    • 2 - SSH
    • 3 - SNMP
    • 4 - HTTP

    In the base system, the WMI probe is always launched first, and if it is successful on a device, no other port probes are launched for that device. If the WMI probe is not successful, then the SSH probe is launched to gather information on the device. If it is not successful, the SNMP probe is launched. This method allows Discovery to classify a device correctly if the device is running more than one protocol (for example, SSH, SNMP, and HTTP).

    Discovery Port Probe form

    To access the Port Probe form, navigate to Discovery Definition > Port Probes.

    To add multiple classification probes to a port probe, create a link between the port probe and the actual classification probe itself. See the bottom of the form to add additional Trigger probes. That way, if one classification fails, it does not affect the others, thus Discovery performance may be enhanced.
    Discovery port probe form
    The Port Probe form provides the following fields:
    Table 1. Port probes
    Field Input Value
    Name Simple name for the port probe that reflects its function (for example, SNMP).
    Description Definition of the acronym for the protocol. (For example, SSH is Secure Shell login).
    Scanner Shazzam techniques for exploring a port. Some of these are protocol-specific, and others are generic. For example, a WMI port probe uses a Scanner value of Generic TCP, and the SNMP port probe uses a value of SNMP.
    Active Indicates whether this port probe is enabled or disabled.
    CIs Indicates whether this port probe is enabled or disabled for discovering Configuration Items.
    IPs Indicates whether this port probe is enabled or disabled for discovering IP addresses.
    Triggered by services Indicates which services define the port usage. Use this setting to define non-standard port usage and pair the port number with the protocol.
    Use classification Names the appropriate classification table, based on the protocol being explored.
    Classification priority

    Establishes the priority in which this port probe runs. If the first port probe fails, then the next probe runs on the device, and so forth, until the correct data is returned. This allows for the proper classification of a device that has two running protocols, such as SSH and SNMP. The default priorities for the Discovery protocols are:

    • 1 - WMI
    • 2 - SSH
    • 3 - SNMP
    • 4 - HTTP
    Supplementary Launches supplementary classifications after a higher-priority identification succeeds, in order of priority.
    Conditional

    Runs this port probe if any one of the non-conditional probes returns an open port. The conditional port probes in the base system attempt to resolve the names of Windows devices and DNS names. These ports probes take additional resources and are not used unless activity is detected on open ports.
    Script Script to run.